So You Want to Be a Cyber Security Professional - page 2

Open The Door To A Cyber Security Career

July 28, 2004

By
Rob Reilly

Cyber security has been evolving quickly over the past few years. New products have been developed to combat the various vulnerabilities in today's software. Rice contends that developers need to begin to look in a different direction. The change needs to start in the classroom.

"Fundamentally, we need to improve the quality of our code base. Almost every exploit that we have is either our protocols are flawed, the implementation of the protocol is flawed, or we have some type of service that's offered, is flawed," Rice said. "But I think, what we really need to get to is not this idea of products...security products solving problems, but actually a revolution in software production, where we limit the amount of vulnerability that we generate from the code bases alone.

"It's a very, very difficult problem," he added.

According to Rice, what's needed is a change in the software development process that produces the code.

"You can't slam the security profession up to this point or the vendors because all of the firewalls, IDS's and everything... those are responses to the software engineering problem that we have. But, while we can buy a firewall or we can buy X technology, we're still buying it to solve a problem that's still being generated constantly. All we're doing is laying code on top of more code. So, the complexity goes up. From a college perspective, really what we want to see are more [college] programs teaching how to create some computer code and evaluate, as opposed to just having people running a console that happen to know about security concepts. We really want to add to the profession, an improvement of national information infrastructure", Rice explained.

Rice also indicated that any nation state really must improve the quality of the stuff [the software] that is starting to run our civilization.

Tightly integrating security into software code is a pretty new concept for most information technology people, although some in the security business seem to have been aware of the concept for some time. Part of the problem has been that changing the development focus to be aware of security at the code level, can be very hard. Where do you go to get started?